563797 – server error and traceback generated if user without admin access to the system group to view system profile

Bug 563797 - server error and traceback generated if user without admin access to the system group to view system profile

Summary: server error and traceback generated if user without admin access to the syst...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	530
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Justin Sherrill
QA Contact:	Dimitar Yordanov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	sat540-blockers
TreeView+	depends on / blocked

Reported:	2010-02-11 07:27 UTC by Xixi
Modified:	2018-10-27 12:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-10-28 14:59:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Xixi 2010-02-11 07:27:59 UTC

Description of problem:
If a user manually edits the URL line for /rhn/systems/details/Overview.do to look at a system that they are not entitled to view (for example, an Activation Key Administrator manually changes the url to look at the SID of a system). This results in an on-screen error and a traceback email. Satellite should handle this more gracefully - handle the error, then display a clearer and informative permission error on screen as well as not generating a traceback.

Version-Release number of selected component (if applicable):
Red Hat Network (RHN) Satellite 5.3.0

How reproducible:
Always.

Steps to Reproduce:
1. Log in as the Satellite admin, and assign a normal user system group privileges: Click on "Users" > (user name) > check "System Group Administrator" > click "Submit", then click on "System Groups" and make sure user has admin access to one of the system groups.
2. Log in as this System Group admin, click on "Systems" > "System Groups" > (system group name) > "Systems" tab of system group > check the checkbox for a system in the system group > click "Remove Systems". The user no longer sees the system.
3. Navigate to the following URL to try to view the removed system:
https://<satellite-hostname>rhn/systems/details/Overview.do?sid=<systemid-of-client>

Actual results:
The user sees a message on web UI:
***
We're sorry, but the system could not be found.

This error may have occurred in one of three ways:

1. The system requested does not exist. This is most likely if you arrived at this page through bookmarks or some other non-hyperlink.
2. You do not have permission to view this system.
3. You've found an error in our site.
***

In addition, a web traceback email is sent by the Satellite, with a traceback such as:
The following exception occurred while executing this request:
GET /rhn/systems/details/Overview.do
...
Exception:
com.redhat.rhn.common.hibernate.LookupException: Could not find server 1000010229 for user 41
at com.redhat.rhn.manager.system.SystemManager.lookupByIdAndUser(SystemManager.java:876)
at com.redhat.rhn.frontend.action.systems.sdc.SystemOverviewAction.execute(SystemOverviewAction.java:68)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:237)
at com.redhat.rhn.frontend.struts.RhnRequestProcessor.process(RhnRequestProcessor.java:82)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
...

Expected results:
UI error stating user does not have access/permissions to view the system instead of saying system not found. Also, no traceback should be generated.

Additional info:
Proposed fix: add system access check for user in com.redhat.rhn.manager.system.SystemManager.lookupByIdAndUser or com.redhat.rhn.frontend.action.systems.sdc.SystemOverviewAction.execute

Comment 3 Justin Sherrill 2010-07-28 21:14:44 UTC

Changed it to to print a smaller message such as:

2010-07-28 17:11:57,924 [TP-Processor3] WARN  com.redhat.rhn.common.errors.LookupExceptionHandler - Could not find server 1000011505 for user 421


and to not send an email by default.  If a customer still wants to send email (with the full traceback), they can set:

lookup_exception_email =  1 

in /etc/rhn/rhn.conf



fixed in spacewalk master: 3e6c2a40cb9f99743c733ffab1e943c9bd3fda26

Comment 6 Garik Khachikyan 2010-10-25 13:47:39 UTC

# VERIFIED against errata.stage 
(signed packages - Satellite-5.4.0-RHEL5-re20101025.0)

Following is the error on catalina.out:
---
2010-10-25 15:45:08,688 [TP-Processor7] WARN  com.redhat.rhn.common.errors.LookupExceptionHandler - Could not find server 1000010104 for user 141

Here is the message on UI:
---
We're sorry, but the system could not be found.

This error may have occurred in one of three ways:

The system requested does not exist. This is most likely if you arrived at this page through bookmarks or some other non-hyperlink.
You do not have permission to view this system.
You've found an error in our site.

Comment 7 Clifford Perry 2010-10-28 14:54:20 UTC

The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford

Note You need to log in before you can comment on or make changes to this bug.